Role - Agent ACL

<[^>]+?>","")"/>

<[^>]+?>","")" class="contextID">

The Agent ACL panel lets you enter information that determines how a user establishes a connection to an RSCD agent on a remote server.

BMC Server Automation allows you to perform certain functions when that connection is established, and the definitions you provide on this page control those functions. For example, you can specify that a user with this role has privileges equivalent to root on the remote server. You can associate a Windows automation principal with a role. Or, you can specify that a user with this role only has access to a particular directory on the remote server.

The Agent ACL panel provides most of the same functionality as the users configuration file on an RSCD agent. For more information about the users file, see Users and users.local files overview.

After you have defined a role, you should run an ACL Push Job on servers that the role is authorized to access. The ACL Push Job copies access control list (ACL) information derived from the role definition and uses it to overwrite the users configuration file. After you have pushed ACL information to an agent, the settings you have defined for the role are used to control all incoming connections to that agent. For more information about pushing ACLs, see Controlling server access with agent ACLs.

Field definitions

Field	Description
User must exist on agent	Check to instruct a server to allow a connection from a user only when an account with the same user name exists on the server. This option is analogous to the exists option in the users configuration file.
Allowed Hosts	Specify the hosts from which a user can connect to a server. Separate host names with a colon, such as `host1:host2:host3`.
Read Only and Read/Write	Specify whether all users in the role are granted either read-only or read/write permission on servers. You cannot use a role to give read-only permission to some users and read/write permission to others. Use the users.local file to create a more fine-grained set of permissions. For more information, see Users and users.local files overview.
Map to user name	Check to force a user connecting to a server to have the same permissions as a user with that same name on the server. For example, if you check this option and user betty connects to a server, she has the same permissions as those already defined for user betty on the server. If you check this option, a user cannot connect to a server unless an identical user name is already defined on the server.
Platform Related	Define permissions that vary by platform. Click the UNIX tab and enter the following values as they apply to UNIX servers. Then click the WINDOWS tab and enter the following values as they apply to Windows servers: User Map — Define a user name to which incoming connections on a server should be mapped by doing one of the following: Select Map to and enter a user name. Select Use property and enter a property name or use Select Property , which displays a list of server properties. User mapping forces users who have assumed this role to operate with the same permissions as the user name to which they are mapped. For example, you might enter root or anon for UNIX systems or Administrator or Guest for Windows. If you do not specify a user name to which incoming connections should be mapped and you have not checked the Map to user name flag, RBAC automatically maps each incoming user to a user with the same name on the server. For example, incoming user "joe" is automatically mapped to user joe on the server. If joe does not exist on the server, RBAC maps joe to nobody on UNIX systems and Anonymous on Windows. Using a property rather than a name allows you to map a role to different user names on different servers. For example, if you map to a property called `ADMIN_USER`, that property could be defined as Administrator on one server and a different name on another server. If you specify a property that identifies an automation principal, the role of the incoming user is mapped to the user specified in the automation principal. For more information on mapping to an automation principal, see Using server properties to map automation principals for Windows user mapping. For more information about user mapping, see Impersonation and privilege mapping. Root Directory — Enter the highest directory that the user can see. The user is able to see that directory and all of its subdirectories. This option applies exclusively to Network Shell-only user entries that are generated and pushed to agents. The Root Directory option is analogous to the rootdir option in the users configuration file. Flags — For UNIX, the following flags are available: Silently ignore setting of `setuid` and `setgid` bits — Instructs a UNIX server to prevent users from setting the setuid or setgid bits when creating a file or changing a file's permissions. This option is analogous to the nosuid option in the users configuration file. It is only available on the UNIX tab. Fail on mknod(2) system call — Instructs a UNIX server to prevent users from making calls to the `mknod` system call. This option is analogous to the nomknod option in the users configuration file. It is only available on the UNIX tab. Automation Principal — Select an automation principal that should be mapped to this role or select None. For more information about automation principals, see Automation principals and server management. The Automation Principal option is only available on the WINDOWS tab. Note that if you create a role by copying an existing role and that role includes an automation principal, the newly created role does not include the automation principal.

Role - Agent ACL

Comments